Richard Lynch wrote:
>Would setCookie('user_id', $PHPSESSID, 0, '/othersite.com');
>
>let you get away with setting the cookies for the "other" site?
>
Luckily no. :-)
There are vulnerabilities in IE 4.0 - 6.0 that will let you read/write
cookies not in your domain, but this is a result of a bug in IE and not
ordinary behavior.
>Hey, but all those stupid "Banner Ad" sites give me a cookie from the
>*other* guy's site.
>
>All ya gotta do is have three invisible GIFs on all three sites that come
>from the *other* sites and the GIF does the set_cookie() of whatever their
>user ID is.
>
I'm not sure where you got this idea, but you should investigate
further. A banner ad is usually nothing more than an image, and your
browser will make a complete separate HTTP GET request for that image.
When that is the case, there is no way the remote site can read or write
cookies outside of its own domain. They can set cookies from their own
domain, and you might see the cookies warnings on the same "page" or
whatever, but the domains will definitely be different.
Happy hacking.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
